You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Nasty Trojan And Virus Problem

Hi, I have a very nasty Trojan and Virus Problem, which popups into the various chinese websites like //caiyi8.com etc. The popups appears very frequently when I log on to the internet. Virus was detected by VirusScan when connected to the explorer named Win32. Oanum2INT which keeps appearing despite being deleted when scanned.

These were not resolved despite using XoftSpy, Spybot, Ad-Aware and Regcure.

Attached is the Hijack log which I hope you could assist in resolving this headache problem .

Launch SuperAntiSpyware and click on 'Check for updates'.Once the updates have been installed,on the main screen click on 'Scan your computer'.Check: 'Perform Complete Scan'.Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.Make sure everything found has a checkmark next to it,then press 'Next'.Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:Click on 'Preferences'.Click on the 'Statistics/Logs' tab.Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.It will then open in your default text editor,such as Notepad.Copy and paste the contents of that report into your next reply.

************************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings* Choose the "Scan tab" and UNcheck "Heuristic analysis"* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.* When done, a message will be displayed at the bottom advising if any viruses were found.* Click "Yes to all" if it asks if you want to cure/move the file.* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.* Save the DrWeb.csv report to your desktop.* Exit Dr.Web Cureit when done.* Important!Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Click on Start>Run and type Services.msc then hit Ok.Scroll down and find the service's called:E3EE6460EBFA74E0WebPrintWinMessengerIn the next window that opens, click their 'Stop' buttons. Then change their 'Startup Types' to 'Disabled'. Now press Apply and then Ok and close any open windows.

Once the updates have been installed,do the following:Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab. Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'. Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'. Make sure all browser and all Windows Explorer windows are closed before fixing:

I still keep getting messages from ETrust EZ Antivirus of having the virus infection of Win32.Oanumi!.NII

And during the progress of deleting the files per your instructions, I cant delete the file C:\windows\system32\fkeuf.dll saying that the program is currently running. When I reboot the computer, AVG detected it and I had it quarantined .. probably for like 3-4 times.

Other than the above, hooray!!! No more Ads popups!!! Thanks so much for your help!!!!

Click on Start>Run and type Services.msc then hit Ok.Scroll down and find the service called:Security Machine Manager (MOBILL)When you find it, double-click on it.In the next window that opens, click the 'Stop' button. Then change the 'Startup Type:' to 'Disabled'. Now press Apply and then Ok and close any open windows.

*******************************

Download HostsXpert 3.8: http://www.funkytoad.com/download/HostsXpert.zip1. Extract the zip file to your desktop or a permanent folder on your hard drive.2. Open the folder and double-click on the Hoster.exe3. Press "Restore Microsofts Original Hosts File"4. Press "OK" and exit the program.

Go to: C:\WINDOWS\System32\drivers\etc\HOSTS.1) Right-click on the HOSTS file2) Click Properties3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.4) Click Apply/OK.

Reboot your computer into SAFE MODE using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:C:\WINDOWS\system32\e6d0.dllC:\WINDOWS\system32\MSRundll.exeC:\DOCUMENTS AND SETTINGS\JiaJia\LOCALSETTINGS\Temp<-Delete everything inside this Temp folder.C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS

Launch CleanUp you installed earlier,then click on 'Options'.Now move the slider on the left up to 'Standard Cleanup!'.Click 'Ok',now run the program by clicking on the 'Cleanup' button.Reboot normally when it's finished.

*******************************

Please run this online virus scan:Activescan using Internet Explorer.Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on Local Disks to start the scan When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Reboot,post the Activescan report and a new Hijackthis log in your next reply.Let me know how your pc is running now please.

Click on Start>Run and type Services.msc then hit Ok.Scroll down and find the service called:Fast Client (fast)When you find it, double-click on it.In the next window that opens, click the 'Stop' button. Then change the 'Startup Type:' to 'Disabled'. Now press Apply and then Ok and close any open windows.

Reboot your computer into SAFE MODE using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Download Killbox by Option^Explicit:http://download.bleepingcomputer.com/spyware/KillBox.zipSave it to your desktop.Please double-click Killbox.exe to run it.Select: 'Delete on Reboot'. Then Click on the 'All Files' button.Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.Click the red-and-white Delete File button. Click 'Yes' at the 'Delete on Reboot' prompt. Click OK at any 'PendingFileRenameOperations' prompt.If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again. Click 'File'>'Logs'>'Actions History Log'.Post this log in your next reply.

***********************

Download and scan with the free 15 day trial of Counterspy V2Save the report when it's finished:1.Once Counterspy has done scanning,the 'Scan Results' box will appear.2.Click on 'View Results'.3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.4.Then click on 'Take Action'.5.Once everything has been removed,click on 'View Details'.6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Restart your pc,post the Actions History Log from Killbox,the Counterspy report,and a new Hijackthis log into your next reply.Let me know how its running now please.

Cookie: CGI-Bin Cookie (General) more information...Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.Status: Deleted

3721 Chinese Keywords (CNSMin) Browser Plug-in more information...Details: 3721 Chinese Keywords, also known as CNSMin or Adware.CDN, is keyword-lookup provider that takes over the search feature of IE's address bar. It is aimed at providing keywords using Chinese characters.Status: Deleted

Cookie: GeoCities Cookie (General) more information...Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.Status: Deleted

Cookie: ICOO Loader Cookie (General) more information...Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.Status: Deleted

QQHelper Potentially Unwanted Program more information...Details: QQHelper is a program that adds custom emoticons for QQ. It also installs an auto-update module that is not uninstalled with the main program.Status: Ignored